The internal audit function of Commonwealth Bank nailed the group's core deficiencies many times, but "there was not enough sense of urgency, and only fix things where they become mandatory compliance," Matt Comyn, the bank's CEO told the financial services royal commission yesterday.A full day's evidence by Comyn produced few startling disclosures, but his account only adds to discomfort over the core competencies of the bank.Rowena Orr, counsel assisting, used the report of APRA's prudential inquiry (from May), to highlight a number of exchanges between Comyn and his 500 most senior colleagues.Mark Worthington, head of the bank's internal audit function wrote to the CBA CEO: "Firstly, I must say that I agree that the report was well-written and fair. "There are many references in the report to findings made by my team over recent years and references to us uncovering many of the control weaknesses that were used to substantiate the APRA conclusions. This is a double-edged sword, for it lends credibility to our work, but has now led to much public criticism of the organisation."Frankly, there is not much in the APRA report that audit has not said before, but perhaps we need to improve in the area of articulating our views."Marianne Perkovic, the executive general manager of Commonwealth Private told Comyn: "My drive and motivation to lead these challenging opportunities where I put my brand and reputation in the firing line for CBA has always been a personal commitment to putting things right for our clients. "I am proud that this is how I operate, but I also feel disappointed as I know I have let some of our clients, people and the community down by not speaking up loud enough to stand up to behaviours that I knew were not right."Dan Huggins, executive general manager for home buying told Comyn that he thought CBA had become "too accepting of poor underlying processes, outdated systems and underperformance within the value chain."Asked to ponder these themes - neither speaking up nor following up - Comyn said: "The [APRA] report speaks about the strength of the finance function, and certainly relative to a weakness of the 'voice of risk', as it's referred to, that is a common theme … yes, there's not enough sense of urgency."Then putting things in a nutshell, Comyn said: "We seemed to be caught reacting, responding, remediating, in an ever increasing cycle of that without actually truly understanding the root cause [and] making the appropriate investments."Orr asked: "How are you going to ensure that the voice of risk, including risk related to poor customer outcomes, is not subordinated to the voice of finance?"Comyn explained there was, now, "the creation of a specific management of non-financial risk which is specifically designed to deal with operational risk and compliance risk throughout the organisation in each of the business units, and ultimately the executive leadership team. "Too often the risk committees that function inside the organisation, even though compliance are often regular attendees, they were also melded together with